Fortinet white logo
Fortinet white logo

FortiGate-7000 Release Notes

Upgrading a FortiGate-7121F to FortiOS 6.2.9

Upgrading a FortiGate-7121F to FortiOS 6.2.9

Use the following information to upgrade a standalone FortiGate-7121F or a FortiGate-7121F FGCP HA cluster to FortiOS 6.2.9.

FortiOS 6.2.9 increases the FortiGate-7121F boot partition size. This change allows the FortiGate-7121F to support larger more complex configurations that include more VDOMs and firewall policies. Because of the boot partition size increase, the process of upgrading a FortiGate-7121F to 6.2.9 Build 1206 is a manual process that will take longer than normal and during this time the FortiGate-7121F will not be able to process traffic.

As well, graceful upgrade to FortiOS 6.2.9 is not supported for a FortiGate-7121F FGCP cluster. Instead you must change the FortiGate-7121Fs to operate as standalone FortiGates and upgrade each one separately before reforming the cluster.

The following procedure describes how to power down the FIMs and FPMs, install a special firmware image on each FIM, upload the special firmware image file to the TFTP server of the FIM in slot 1, and then install this firmware image on each FPM. Once both FIMs and all FPMs are running the special firmware image, you can use a normal firmware upgrade procedure to upgrade the FortiGate-7121F firmware to FortiOS 6.2.9 Build 1206

Note

Contact Fortinet Technical Support by logging to https://support.fortinet.com for assistance with upgrading your FortiGate-7121F to FortiOS 6.2.9 . The support team can supply you with the special firmware image file and assist with the following procedures.

The following procedures use the FortiGate-7121F system management module (SMM) console ports. For information about how to connect to and use these console ports, see Using the FortiGate-7121F SMM console ports.

Note

If you are operating a FortiGate-7121F FGCP HA cluster where the boot partition size of one of the FortiGate-7121Fs has been increased but one hasn't, you can use the following steps to increase the boot partition of just one of the FortiGate-7121Fs. The remaining FortiGate-7121F can continue to process traffic:

  1. Back up the configuration of the FortiGate-7121F that does not have the increased boot partition.

  2. Run the execute factoryreset command from the CLI of the primary FIM to reset all of the FIMs and FPMs to factory defaults.

  3. Configure the mgmt interface of the FortiGate-7121F to be able to connect to the TFTP server and use the procedures below to increase the boot partition size and upgrade to 6.2.9.

  4. Then, when you restore the configuration of the FortiGate-7121F it will re-join the cluster.

Installing the special firmware image on the FIMs

  1. Set up a TFTP server that can communicate with the 1-mgmt1 interface and upload the special FortiGate-7000F firmware build (file name: FGT_7000F-v6-build8176-FORTINET.out) to the TFTP server.

  2. Connect to one of the FortiGate-7121F system management module (SMM) console ports.

    You can also use SSH to connect to the SMM MGMT interface.

  3. From the SMM console or SSH connection, connect to the FortiOS CLI of the FIM in slot 1.

    Press Ctrl-T to enter console mode. Repeat pressing Ctrl-T until you connect to slot 1. Example prompt:

    <Switching to Console: FIM01 (9600)>

  4. Enter the command execute shutdown to power off all of the FIMs and FPMs in the chassis.

    The FIMs and FPMs take a few minutes to shut down.

  5. Power off all FIMs and FPMs using the fru deactivate <slot> command, for example:

    From the SMC SDI CLI you can use the following command to power off the FIM in slot 1:

    fru deactivate 1

    From the SMC SDI CLI you can use the following command to power off the FPM in slot 3:

    fru deactivate 3

  6. Use the following command to power on the FIM in slot 1

    fru activate 1

  7. While the FIM is starting, interrupt the start process by pressing any key.

    If the FIM has already started, you can run the execute reboot command to restart it.

  8. From the BIOS, press F to format the flash.

  9. From the BIOS, upload the special firmware image from the TFTP server.

    See Installing FIM firmware from the BIOS after a reboot for more information.

  10. Press Ctrl-T to enter console mode.

  11. Repeat pressing Ctrl-T to connect to the FortiOS CLI of the FIM in slot 2.

  12. Use the following command to power on the FIM in slot 2:

    fru activate 2

  13. Starting from step 7, repeat the previous steps to interrupt the start process by pressing any key and install the special firmware build on the FIM in slot 2.

Installing the special firmware image on the FPMs

  1. Make sure the 1-mgmt1 interface of the FIM in slot 1 can connect to the TFTP server.

    To do this you may need to add an IP address for the 1-mgmt-1 interface and a default route for the mgmt-vdom VDOM.

  2. Upload the special firmware image file to the TFTP server running on the FIM in slot 1.

    To do this, from the FortiOS CLI of the FIM in slot 1, enter:

    execute upload image tftp <image-file> comment <tftp-server-ip-address>

  3. For the CLI of the FIM in slot 1, use the following command to verify that the firmware image has been uploaded to the TFTP server of the FIM in slot 1:

    fnsysctl ls -l /data2/tftproot

    -rw-r--r-- 1 0 0 Mon Nov 22 15:40:38 2021 79259649 image.out

    -rw-r--r-- 1 0 0 Mon Nov 22 15:35:57 2021 1 miglogdisk_info

    In the above example output, image.out is the firmware image to be installed on each FPM.

  4. From the SMM console connection, press Ctrl-T until you can connect to the FPM in slot 3.

  5. From the SMC SDI CLI, use the following command to power on the FPM in slot 3:

    fru activate 3

  6. While the FPM is starting, interrupt the start process by pressing any key.

    If the FPM has already started, you can run the execute reboot command to restart it.

  7. From the BIOS, press F to format the flash.

  8. From the BIOS, press C to configure TFTP parameters, and use the following settings to upload the firmware image from the TFTP server of the FIM in slot 1:

    Image download port:    FIM01 TFTP Server
    DHCP status:            disabled
    Local VLAN ID:          none
    Local IP address:       169.254.254.3     
    Local subnet mask:      255.255.255.0
    Local gateway:          10.160.62.1       
    TFTP server IP address: 169.254.254.1     
    Firmware file name:     image.out 

    The Local IP address is 169.254.254.<slot>, where <slot> is the slot number.

    Firmware file name the file name is image.out.

  9. From the BIOS, press T to start the TFTP transfer.

    The firmware image file is uploaded to the FPM.

  10. From the BIOS, press D to install the image as the default firmware image.

    The FPM installs the firmware image and restarts.

  11. Repeat these steps for each FPM.

Installing FortiOS 6.2.9 Build 1206 firmware

Once all of the FIMs and FPMs are running the special firmware build, use a normal firmware upgrade procedure to upgrade the FortiGate-7121F firmware to FortiOS 6.2.9 Build 1206.

Upgrading a FortiGate-7121F to FortiOS 6.2.9

Upgrading a FortiGate-7121F to FortiOS 6.2.9

Use the following information to upgrade a standalone FortiGate-7121F or a FortiGate-7121F FGCP HA cluster to FortiOS 6.2.9.

FortiOS 6.2.9 increases the FortiGate-7121F boot partition size. This change allows the FortiGate-7121F to support larger more complex configurations that include more VDOMs and firewall policies. Because of the boot partition size increase, the process of upgrading a FortiGate-7121F to 6.2.9 Build 1206 is a manual process that will take longer than normal and during this time the FortiGate-7121F will not be able to process traffic.

As well, graceful upgrade to FortiOS 6.2.9 is not supported for a FortiGate-7121F FGCP cluster. Instead you must change the FortiGate-7121Fs to operate as standalone FortiGates and upgrade each one separately before reforming the cluster.

The following procedure describes how to power down the FIMs and FPMs, install a special firmware image on each FIM, upload the special firmware image file to the TFTP server of the FIM in slot 1, and then install this firmware image on each FPM. Once both FIMs and all FPMs are running the special firmware image, you can use a normal firmware upgrade procedure to upgrade the FortiGate-7121F firmware to FortiOS 6.2.9 Build 1206

Note

Contact Fortinet Technical Support by logging to https://support.fortinet.com for assistance with upgrading your FortiGate-7121F to FortiOS 6.2.9 . The support team can supply you with the special firmware image file and assist with the following procedures.

The following procedures use the FortiGate-7121F system management module (SMM) console ports. For information about how to connect to and use these console ports, see Using the FortiGate-7121F SMM console ports.

Note

If you are operating a FortiGate-7121F FGCP HA cluster where the boot partition size of one of the FortiGate-7121Fs has been increased but one hasn't, you can use the following steps to increase the boot partition of just one of the FortiGate-7121Fs. The remaining FortiGate-7121F can continue to process traffic:

  1. Back up the configuration of the FortiGate-7121F that does not have the increased boot partition.

  2. Run the execute factoryreset command from the CLI of the primary FIM to reset all of the FIMs and FPMs to factory defaults.

  3. Configure the mgmt interface of the FortiGate-7121F to be able to connect to the TFTP server and use the procedures below to increase the boot partition size and upgrade to 6.2.9.

  4. Then, when you restore the configuration of the FortiGate-7121F it will re-join the cluster.

Installing the special firmware image on the FIMs

  1. Set up a TFTP server that can communicate with the 1-mgmt1 interface and upload the special FortiGate-7000F firmware build (file name: FGT_7000F-v6-build8176-FORTINET.out) to the TFTP server.

  2. Connect to one of the FortiGate-7121F system management module (SMM) console ports.

    You can also use SSH to connect to the SMM MGMT interface.

  3. From the SMM console or SSH connection, connect to the FortiOS CLI of the FIM in slot 1.

    Press Ctrl-T to enter console mode. Repeat pressing Ctrl-T until you connect to slot 1. Example prompt:

    <Switching to Console: FIM01 (9600)>

  4. Enter the command execute shutdown to power off all of the FIMs and FPMs in the chassis.

    The FIMs and FPMs take a few minutes to shut down.

  5. Power off all FIMs and FPMs using the fru deactivate <slot> command, for example:

    From the SMC SDI CLI you can use the following command to power off the FIM in slot 1:

    fru deactivate 1

    From the SMC SDI CLI you can use the following command to power off the FPM in slot 3:

    fru deactivate 3

  6. Use the following command to power on the FIM in slot 1

    fru activate 1

  7. While the FIM is starting, interrupt the start process by pressing any key.

    If the FIM has already started, you can run the execute reboot command to restart it.

  8. From the BIOS, press F to format the flash.

  9. From the BIOS, upload the special firmware image from the TFTP server.

    See Installing FIM firmware from the BIOS after a reboot for more information.

  10. Press Ctrl-T to enter console mode.

  11. Repeat pressing Ctrl-T to connect to the FortiOS CLI of the FIM in slot 2.

  12. Use the following command to power on the FIM in slot 2:

    fru activate 2

  13. Starting from step 7, repeat the previous steps to interrupt the start process by pressing any key and install the special firmware build on the FIM in slot 2.

Installing the special firmware image on the FPMs

  1. Make sure the 1-mgmt1 interface of the FIM in slot 1 can connect to the TFTP server.

    To do this you may need to add an IP address for the 1-mgmt-1 interface and a default route for the mgmt-vdom VDOM.

  2. Upload the special firmware image file to the TFTP server running on the FIM in slot 1.

    To do this, from the FortiOS CLI of the FIM in slot 1, enter:

    execute upload image tftp <image-file> comment <tftp-server-ip-address>

  3. For the CLI of the FIM in slot 1, use the following command to verify that the firmware image has been uploaded to the TFTP server of the FIM in slot 1:

    fnsysctl ls -l /data2/tftproot

    -rw-r--r-- 1 0 0 Mon Nov 22 15:40:38 2021 79259649 image.out

    -rw-r--r-- 1 0 0 Mon Nov 22 15:35:57 2021 1 miglogdisk_info

    In the above example output, image.out is the firmware image to be installed on each FPM.

  4. From the SMM console connection, press Ctrl-T until you can connect to the FPM in slot 3.

  5. From the SMC SDI CLI, use the following command to power on the FPM in slot 3:

    fru activate 3

  6. While the FPM is starting, interrupt the start process by pressing any key.

    If the FPM has already started, you can run the execute reboot command to restart it.

  7. From the BIOS, press F to format the flash.

  8. From the BIOS, press C to configure TFTP parameters, and use the following settings to upload the firmware image from the TFTP server of the FIM in slot 1:

    Image download port:    FIM01 TFTP Server
    DHCP status:            disabled
    Local VLAN ID:          none
    Local IP address:       169.254.254.3     
    Local subnet mask:      255.255.255.0
    Local gateway:          10.160.62.1       
    TFTP server IP address: 169.254.254.1     
    Firmware file name:     image.out 

    The Local IP address is 169.254.254.<slot>, where <slot> is the slot number.

    Firmware file name the file name is image.out.

  9. From the BIOS, press T to start the TFTP transfer.

    The firmware image file is uploaded to the FPM.

  10. From the BIOS, press D to install the image as the default firmware image.

    The FPM installs the firmware image and restarts.

  11. Repeat these steps for each FPM.

Installing FortiOS 6.2.9 Build 1206 firmware

Once all of the FIMs and FPMs are running the special firmware build, use a normal firmware upgrade procedure to upgrade the FortiGate-7121F firmware to FortiOS 6.2.9 Build 1206.